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Abstract 

We propose a new homomorphic encryption scheme based on the hardness of decoding under 
independent random noise from certain affine families of codes. Unlike in previous lattice- 
based homomorphic encryption schemes, where the message is hidden in the noisy part of the 
ciphertext, our scheme carries the message in the affine part of the transformation and applies 
noise only to achieve security. Our scheme can tolerate noise of arbitrary magnitude, as long as 
the noise vector has sufficiently small hamming weight (and its entries are independent). 

Our design achieves "proto-homomorphic" properties in an elementary manner: message 
addition and multiplication are emulated by pointwise addition and multiplication of the ci- 
phertext vectors. Moreover, the extremely simple nature of our decryption makes the scheme 
easily amenable to bootstrapping. However, some complications are caused by the inherent 
presence of noticeable encryption error. Our main technical contribution is the development of 
two new techniques for handling this error in the homomorphic evaluation process. 

We also provide a definitional framework for homomorphic encryption that may be useful 
elsewhere. 

1 Introduction 

Homomorphic encryption was proposed by Rivest, Adleman, and Dertouzos [RAD78] over three 
decades ago as a mechanism for secure delegation of computation to an honest but curious server. 
While some partial progress was made over time, the first such cryptographic schemes were proposed 
only a few years ago, starting with the breakthrough work of Gentry [Gen09a, Gen09b]. 

Since then, several such schemes have been proposed [vDGHVIO, BV11, GH11, BGV12]. These 
schemes vary widely in their underlying security assumptions as well as the simplicity and efficiency 
of the constructions. However at a fundamental level, they all rely on the same idea of hiding 
information inside the noise of lattice-based encryptions. 

We propose a new way to achieve homomorphic encryption based on codes rather than lattices. 
In both code and lattice based cryptosystems, encryptions are obtained by applying an affine trans- 
formation to an input and adding some noise. The two differ in the way they encode information. 
In lattice based cryptography, the information is encoded inside the noise and the security of the 
system relies on the inability to distinguish different noise patterns. In code-based cryptography, 
the information is encoded in the input to the affine transformation, while the role of the noise is 
to prevent its inversion (and more generally deducing various properties of the input). 
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2 Our cryptosystem 



Our main result is a construction of a homomorphic public-key encryption scheme from a code- 
based public-key encryption scheme with some special properties. The code-based scheme which 
is the base of our construction is new. We arrived at it by combining the structure of encryptions 
of the local cryptosystem of Applebaum, Barak, and Wigderson [ABW10] with a "key scrambling" 
idea of the McEliece cryptosystem [McE78]. We begin by discussing the proposed scheme and give 
evidence in favor of its security. The design is motivated by certain algebraic requirements that 
enable the implementation of homomorphic operations. We defer the discussion of these special 
properties to Section 3. 



2.1 The base cryptosystem K 

The ciphertexts in our cryptosystem are n-bit vectors over ¥ q , where q is a power of a prime. Three 
additional parameters that enter the description of the cryptosystem are the amount of randomness 
r used in the encryption, the size s of the secret key, and the noise distribution fj over ¥ q . We 
will discuss the relationships between these parameters shortly. Conjecture 2.1 at the end of this 
section summarizes the conclusion of this discussion. The message set of our encryption scheme is 
the set ¥ q . 

Public-key encryption scheme K 

Key generation: Choose a uniformly random subset S C {1, . . . , n} of size s and an n x r matrix 
M from the following distribution. First, choose a set of uniformly random but distinct values 
ai,...,a n from ¥ q . Set the zth row to 

= ([at a* ■■■ afo ••• 0], ifieS, 
1 \a, aj ■■■ afaf +1 ••• <], if i* S. 

The secret key is the pair (S, M) and the public key is the matrix P = MR, where R is a random 
r x r matrix over ¥ q with determinant one. (Such a matrix can be efficiently sampled.) 

Encryption: Given a public key P, to encrypt a message m £ F q , choose a uniformly random 
x € ¥ q and a noise vector e G F™ by choosing each of its entries independently at random from fj. 
Output the vector Px + ml + e, where 1 G F™ is the all ones vector. 

Decryption: Given a secret key (S, M), to decrypt a ciphertext c € F™, first find a solution to the 
following system of s/3 + 1 linear equations over variables yi £¥ q ,i G S 

^iesViMi =0 
with yi = when i £ S. Output the value Sjgfn] y {Ci - 



To understand the functionality of this scheme, let us first assume that no noise is present, that 
is fj always outputs zero. The decryption of an encryption of m is given by 

y T (Px + ml) = (y T M)Rx + m • y T l = f^~] . ^ ViMij Rx + m ^^. g5 Hi = m 
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by the constraints (1) imposed on yi. We must argue that these constraints can be simultaneously 
satisfied. This follows from the fact that the matrix specifying the system of equations (1) is an 
s x (s/3 + 1) Vandermonde matrix, which has full rank and is therefore left-invertible. 

When noise is present in the encryption, the decryption could produce the wrong answer when 
at least one of the noisy elements makes it inside the hidden set S. By a union bound this happens 
with probability at most rjs, where r] = Pr[fj ^ 0] is the noise rate of the scheme. 

2.2 Relation with the McEliece and ABW cryptosystems 

While we are unable to argue the security of our proposed scheme by formal reduction to a previ- 
ously studied one, we describe how our scheme combines ideas from the existing cryptosystems of 
McEliece and Applebaum, Barak, and Wigderson (ABW), with an eye towards inheriting the se- 
curity features of these schemes. We take some small liberties in our discussion of these encryption 
schemes in order to emphasize the parallels to our proposed scheme. 

In the McEliece cryptosystem based on the Reed-Solomon code, the public key looks exactly 
like in our scheme, except that the secret subset S is empty (i.e., s = 0). The syntax and semantics 
of the encryption, however, are somewhat different. The message set is and an encryption of 
a message x 6 F^ has the form Px + e, which looks like a noisy codeword of the Reed-Solomon 
code. 1 Decryption is performed by applying an error-correction algorithm to this codeword. What 
prevents the adversary from applying the error-correction himself is the fact that the (randomized) 
evaluation points of the Reed-Solomon code are not revealed in the public key, owing to the presence 
of the "key scrambling" matrix R. 

In our proposed cryptosystem, the vector x € F^ does not represent the message but is used 
to randomize the encryption. Since P and M are generator matrices of the same linear code, the 
encryption of a message m £¥ q can be viewed as an affine shift of a random codeword of this code 
by m units in every coordinate. To thwart decoding by inverting this affine transformation, a noise 
is injected into some of the coordinates. The ability to decrypt now relies not on the existence of 
efficient error-correction for the Reed-Solomon code, but on the trapdoor S. The submatrix Ms of 
M indexed by the rows of S has a similar structure to the whole matrix M, but on a smaller scale. 
The scale s of this "self-similarity" will be chosen small enough so that noise is unlikely to make it 
into the codeword coordinates indexed by S, allowing for very simple decoding via linear algebra. 

Thus at a structural level, our proposed cryptosystem is quite similar to the ABW cryptosystem. 
Besides the superficial difference that the ABW system operates over the field F2 while our system 
will be instantiated over a larger field, the main difference is in the choice of the public key matrix 
P. In the ABW system, the choice of this matrix is constrained by the fact that the encoding needs 
to be performed in a local manner. In our case, we will need M (and therefore P) to have specific 
algebraic structure that enables homomorphic operations. 

2.3 Parameters and security 

We now turn to arguing the security of our scheme against certain natural attacks. The form 
of security that we aim to achieve is the standard notion of (s,e) (key independent) message 
indistinguishability, which asks that for every pair of messages m, m! € F q , the encryptions of m 

One security issue is that these ciphertexts are not message indistinguishable. 
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and m! are indistinguishable with advantage e by circuits of size s that are given the public key, 
where the randomness is taken over the choice of keys. 2 

We describe the attacks at a somewhat informal level in order to gain intuition about the setting 
of parameters n, q, r, s, and r\ for which the proposed scheme could be secure. For convenience in 
further discussion, n will play the role of a security parameter and we propose values for the other 
parameters in terms of n. Ultimately all of these parameters will be polynomially related to n; the 
exact polynomial dependencies, which are chosen with some foresight, are described by a constant 
a > 0, whose significance will become apparent in Section 5.1. 

Recover the hidden subset S from the public key. A natural attack for the adversary is to 
locate or guess the hidden subset S. A brute-force search would go over all (™) possible candidates 
for S. To obtain non-negligible security, one should choose s to increase asymptotically with n. 

Here is a more sophisticated kind of attack that attempts to obtain information about S. A 
statistical way to distinguish the rows of P that are indexed by S from the other ones is based on 
the dimension of the hidden vectors in the matrix P. For the purposes of describing this attack 
we can pretend that P = M, as the attack only relies on the column space of P, which is identical 
for the two matrices. One can attempt to locate the rows in Ms by calculating the rank of various 
k xr submatrices D of M. If D turns out not to be of full rank, then D must contain a vector in S 
(for otherwise D would be a Vandermonde matrix and therefore of full rank). By performing such 
rank calculations one could expect to find information about the subset S. 

In Appendix A we show that for any t x r submatrix D (depending on S) the rank of D is full 
with probability at least 1 — 0(r 2 /q), unless D contains at least s/3 + 1 + max{£ — r, 0} rows from 
Mg. The probability is taken over the random choice of 01, . . . , a n in the key generation algorithm. 
A simple calculation shows that if D were chosen at random (for any choice of t), it would be rank 
deficient with probability at most mm{0(r 2 /q), l/(n? s ))}- 

Specifically, if we set s = n Q//4 and q on the order of 2 n ", both of these attacks will require 
exponential time, or only yield inverse exponential success probability . 

Exploit the special properties of Ms in the public key. In our decryption algorithm it was 
crucial that the rows of the matrix Ms satisfy the constraints of the linear system (1). However this 
special structure of Ms could be potentially exploited by an adversary. For instance, an adversary 
may set up a system of equations analogous to (1), but over all indices of the ciphertext instead only 
of those in S. Specifically, the adversary sets up the following system of equations over variables 
Vi,i e [n]: 

Eie[n]yi p i =° 

12ie[n] yi = !■ 

Notice that the solution space of this system does not change if P is replaced by M, and so in 
particular it contains all the solutions to the system (1) (with yi = for i S). If the adversary is 
lucky, the solution space will contain only the solutions to (1) so by solving the system he would 
gain the ability to decrypt. 

By choosing r to be sufficiently smaller than n — we set r = n 1-0 / 8 — we can ensure that the 
system set up by the adversary has abundantly many solutions, most of which will be forced to 
have very large hamming weight. Such solutions are useless for the decoding, as long as r/ is not 
trivially small, because the noise in the ciphertext is likely to affect some nonzero coordinates of y. 

2 Security can be proved even if m and m' are allowed to depend on the public key, but to avoid some technical 
complications in the definitions we present our results with respect to the weaker notion. 
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Our homomorphic algorithms rely on one additional property of the matrix Ms, namely the 
existence of solutions to the more constrained linear system (2) described in Section 3. We can 
argue that the analogous attack fails by a similar argument as to the one given here. Generally, 
our intuition is that we can handle attacks that exploit the similarity between the matrices M and 
(the nonzero part of) Ms by choosing the rows-to-columns aspect ratio of M to be substantially 
larger than the rows-to-columns aspect ratio of Ms, which is constant. 

Recover the randomness x used in the encryption. If the noise rate rj in the encryption is 
too small, the adversary may be able to recover x from, say, an encryption of 0. For instance, if 
the noise rate n is smaller than 1/r, then in an encryption of of the form Px + e it would happen 
with constant probability that no noise makes it into the first r bits of the encryption. In that case, 
the adversary could recover the randomness by inverting the first r bits of the ciphertext. 

We set the noise rate r\ to l/n 1 ""/ 4 . Since r = n 1-a / 8 , it follows that any projection of the bits 
of a ciphertext of linear length is likely to contain noise, which would make it exponentially hard 
to recover the randomness x. 

Taking all these factors into consideration, we are now ready to conjecture the security of our 
proposed cryptosystem K. 

Conjecture 2.1. For every a > there exists 7 > such that the cryptosystem K with parameters 
r = n 1 ""/ 8 , i] = l/n 1 " / 4 , s = n a / 4 and q > 2™ Q is (2 n7 , 2~ nl ) -message indistinguishable, for all n 
that are sufficiently large. 

We will use K g (n) to denote an instantiation of the cryptosystem K with the parameters from 
Conjecture 2.1 (except for q which we leave as a free parameter). 

2.4 Our main result 

For technical simplicity we state our definitions and results in the non-uniform setting. An extension 
to the uniform setting, which is more natural for homomorphic encryption, is straightforward. 
We chose to work in the simpler non-uniform setting in order to avoid distracting technical and 
notational complications. 

In our definition of homomorphic encryption we wish to distinguish between the standard de- 
cryption algorithm, which applies to encryptions of bits, and the homomorphic decryption algo- 
rithm, which applies to the output of the homomorphic evaluation circuit. Also, unlike previous 
homomorphic encryption schemes, ours carries the risk of a setup error, which we account for in 
the definition. 

Owing to this risk of error, it is possible that some of the inputs provided to the homomorphic 
evaluation circuit are themselves corrupted. To provide for this possibility, we give a somewhat 
more general definition of homomorphic evaluation: Instead of requiring that the circuit works 
well on encryptions of the inputs (which are not even well-defined in the setting of error-prone 
probabilistic encryption), we ask that they work on inputs that decrypt to the correct value. This 
feature of the definition will be very useful in the proofs. 

Definition 2.2. A homomorphic encryption scheme with setup error k for circuit class C = 
{C : B m — > B} (where B is a subset of the message set) consists of five circuits (Gen, Enc, Dec, 
Eval, HDec), where (Gen, Enc, Dec) is a (probabilistic) public-key encryption scheme (for a for- 
mal definition see e.g. [Gol04]), and Eval and HDec are (deterministic) circuits that satisfy 

Pr[HDec5ji-(Evalpji-(C,ci, . . . ,c m )) = C(mi, . . . ,m m )] > 1 - k 
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for every circuit C € C, every message m € {0, l} m , and every collection of ciphertexts c±, . . . ,c m 
such that Decs'x(cj) = mi for every i. The probability is taken over the choice of keys (SK, PK) ~ 
Gen. 

Let C : {0, l} m — > {0, 1} be a boolean circuit with binary addition (i.e. XOR) and multiplication 
(i.e. AND) gates of fan-in two. The depth of C is the maximum number of gates on a directed path 
of C. We let C cs> d denote the class of such circuits with circuit size cs and depth d. 

Our main result is a construction of a "layered" homomorphic encryption scheme HOM based 
on K, which is fully described in Section 6. The following theorem summarizes the functionality and 
security properties of our scheme. The parameter k controls the setup error and can be instantiated 
to any desired value. 

Theorem 2.3. Let q < 2 n be a power of two. Assume that the public-key encryption K 9 (n) 
is (s(n),e(n)) -message indistinguishable for every n (where s(n) and l/e(n) are nondecreasing 
functions ofn). Tkn HOM is a (s(n°' 1 )—dk-poly(n),0(dkn 1 ' 8 e(n°' 1 )))-message indistinguishable 
homomorphic encryption scheme for C cs ^ with key length at most 0(dkn), encryption length 0(kn), 
encryption error 2~^( fc ) , and setup error d ■ 2~ n ^ . 

2.5 Overview of HOM 

To begin, in Section 3 we show that the operations of pointwise addition and multiplication al- 
ready enjoy certain "proto-homomorphic" properties, which are sufficient to handle one layer of 
homomorphic multiplications. We formalize these properties using the new notion of encryption 
spaces, which may be a convenient conceptual tool for studying the functionality of homomorphic 
encryptions. The analysis relies on the special structure of the matrix M, specifically on the large 
redundancy of the constraint system (2). 

In Section 4 we give a formal definition of reencryption, a notion crucial (in ours as well as 
other) constructions. We prove that proto-homomorphic operations together with secure reencryp- 
tion gives secure homomorphic schemes. We apply an idea of Gentry to obtain a reencryption for 
our public- key scheme K. Unfortunately, owing to the inherent noise in our encryptions, the reen- 
cryption substantially increases the length of ciphertexts, and the resulting homomorphic scheme 
has a noticeable setup error. 

Section 5 contains the main technical contributions of our work which address these deficiencies. 
We first give a secure length-preserving reencryption based on a recursive application of the length- 
increasing reencryption from Section 4 which we use to obtain homomorphic noise correction. We 
then give a generic mechanism for reducing the setup error, which extends von Neumann's method 
of building reliable circuits from unreliable components [vN56] to the homomorphic setting. 

Combining these results, we give the construction of HOM and prove Theorem 2.3 in Section 6. 

3 Encryption spaces and proto-homomorphic operations 

Since homomorphism of encryptions is a functionality rather than a security requirement, we feel 
that it is useful to decouple the functionality and security properties of the schemes under discussion. 
For this purpose we introduce the notion of an encryption space which is concerned with the set- 
theoretic properties of encryptions and abstracts away their statistical properties. 
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Definition 3.1. An encryption space over message set S and ciphertext set 5 is a triple (Keys, Enc, Dec), 
where 

• Keys is a set of admissible key pairs (PK, SK), 

• Eucpk(-) is a function that maps messages m 6 £ into subsets of valid encyptions EncpK(m) C 
S, and 

• DecsK(') is a function that maps messages m € X into mutually disjoint valid decryptions 
Dec S K(m) C H. 

with the property that EncpK^jn) C DecsK.(yn) for every (-P-ftT, 5" if) € Keys and m € X. 

We will say that a public-key encryption scheme (Gen, Enc, Dec) implements the encryption 
space (Keys, Enc, Dec) with encryption error 5 if (1) The support of the output distribution of 
Gen is contained in Keys; (2) For every m and PK, Pr[Encp^(m) € EncpK(m)] > 1 — <5; and 
(3) For every SK and c G Decsxfa), Decg^-(c) = m. 

An encryption space for K Notice that for the functionality of the scheme K, it only matters 
what happens to the part of the ciphertext that falls inside the hidden subset S. Our definition 
of the encryption space K = (Keys, Enc, Dec) for K will capture this intuition. However, we 
will equip K with an additional property which will be crucial to achieve proto-homomorphic 
encryption. 

We set Keys to be the support of the key generation algorithm Gen and EncpK( r m) to be the 
set of all ciphertexts that take value Mx + ml + /, where fi = when i £ 5 and fi can be arbitrary 
when i $l S. We define DecsK(m) as the collection of all ciphertexts c that satisfy y T c = m for 
some arbitrary but fixed y that solves the following system of linear equations: 

E^M, =0 (2) 
J2ies Vi = 1 

with yi = when i S. Here Mi ® Mi denotes the tensor product of with itself, which we 
view as an s 2 -dimensional vector (after removing the zero entries) whose (j, k)th entry is ajaf = 
a\ +k . Notice that the system (2) is more constrained than the system (1) as it includes additional 
equations. These equations will play a crucial role in enabling homomorphic multiplication. 

Claim 3.2. K is an encryption space over message set ¥ q . 

Proof. To make sense of the definition of K we must first argue that the system (2) has at least 
one solution y. Here is where the structure of the Reed-Solomon code comes in handy: Although 
the system (2) has as many as s 2 equations, they all repeat the following set of 2s/3 + 1 equations: 

J2i.es Vi<$ =0 for fc = l,2,...,2a/3 
t.iesVi = L 

The matrix of this system is an s x (2s/3 + 1) Vandermonde matrix and is therefore left-invertible, 
so the system is guaranteed to have a solution. 
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The disjointness of the sets DecsK( m ) is immediate. We now show that EncpK( m ) f= P > ecsK( m ) 
for every m € ¥ q . Let c be of the form Mx + ml + f and let y be any solution to (2). Since y T f = 0, 
we have that 

y T c = y T (Mx + ml) = 5 Vi M i) x + m (^2 ieS Vi) =m 

which proves the claim. □ 

The next fact follows directly from the definitions of K and K. 
Fact 3.3. The encryption scheme K implements the encryption space K with encryption error rjs. 

Proto-homomorphic operations We now define the notion of homomorphic and proto-homomorphic 
operations on ciphertexts, which plays an important role in homomorphic constructions. 

Definition 3.4. Let (Keys, Enc, Dec) be an encryption space with message set S and ciphertext 
set E. Let o and ® be binary operations on £ and 3, respectively. 

• We will say © is homomorphic for o if for every (PK, SK) G Keys and m, m' £ F ? , 

Encpx( m ) © EncpK{m') C EncpK(fn ° m). 

• We will say ® is proto-homomorphic for o if for every (PK, SK) € Keys and m, m' € ¥ q , 

EncpK(m) © EncpK( m ') C Decsx( m ° m'). 

Here, ® is extended to an operation on sets in the natural way. The definitions extend naturally 
to unary operations. Now let © and denote pointwise addition and pointwise multiplication over 
Fg respectively, and let 7- denote multiplication of a vector in by the fixed scalar 7. 

Claim 3.5. With respect to the encryption space K , © is homomorphic for addition, 7- is homo- 
morphic for multiplication by the scalar 7, and and is proto-homomorphic for multiplication. 

Proof. Let c = Mx + ml + / and d = Mx' + m'l + /', where fa = f- = when i £ S. Then 
c © d = M(x + x') + (m + m')l + (/ + f), which is in Encpx( m + m '), proving homomorphism for 
additions. Scalar multiplications are similar. For multiplications, let y be any solution to (2) and 
notice that 

y T (c d) = Y n yi (Mx + ml + f)i(Mx' + m'l + f') t 

EVi(Mx + ml)i(Mx' + m'l); 
i&S 

Eyi(Mi ® Mi) T (x ® x') + m • y T Mx' + m! ■ y T Mx + mm' • y T l 

= mm' 

since by the constraints (2) we have ^ies UiiMi ® Mi) = 0, y T M = 0, and y T l = 1. □ 

Claim 3.5 already enables homomorphic evaluation under K of circuits that have at most one 
layer of multiplication gates. To do more, we need a homomorphic way of turning ciphertexts of 
the form DecsK( m ) mto ciphertexts of the form Encpx( m )- While we will not achieve this — at 
least not under the desired security assumption — in the following sections we will show how to 
convert DecsK(fn) into EncpK'( m ), where PK' is a different public key. We describe this process 
of reencryption in the following section. 
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4 Reencryption 



We now define the functionality and security requirements of reencryption. We then prove a 
composition theorem which shows how to obtain homomorphic encryption from reencryption and 
a basis of proto-homomorphic operations. 

Intuitively, a reencryption circuit takes a decryption under keys (PK, SK) and outputs an en- 
cryption under keys {PK' , SK'). To do this the circuit will access some auxiliary information about 
the secret key SK which will be "hidden" under PK'. We model this auxiliary information by an 
auxiliary key information function I(SK, PK'). One complication that occurs in our instantiations 
of reencryption is that the function / will be randomized, and we will have to account for the 
possibility that it produces incorrect information about the key pair. 

Definition 4.1. Let E = (Keys, Enc, Dec) and E' = (Keys' , End , Dec') be encryption spaces 
over the same message set. A (deterministic) circuit ReEnc/(.)(-) is a reencryption from E to 
E' with auxiliary key information / and key error k if for every admissible pair (PK, SK) 6 
Keys, (PK' , SK') € Keys', every message m and every c S DecsK(m), 

Prj[HeEncj^ K p K ^(c) € EncpK^m)] > 1 — k 

where the outer probability is taken only over the randomness of /. 

To define security, let E and E' be encryption schemes that implement E and E' respec- 
tively. We will say ReEnc is (s — >• s',e — > e')-secure provided that for every pair of mes- 
sages mi and mi, if (PK, Encpif(mi)) and (PK, Encp^(wi2)) are (s,e) indistinguishable, then 
(PK,PK',I(SK,PK'),Encp K ( mi )) and (PK, PK' , I(SK, PK'),Enc PK (m 2 )) are (s',e') indis- 
tinguishable. 

We now show how to combine proto-homomorphic operations and reencryption in order to 
obtain homomorphic encryption. One small complication is that in our definition of reencryption 
we allow that the two schemes E and E' are different. This is an important feature that will help 
us achieve the definition initially. So when we apply d levels of reencryption, we will work with a 
chain of public- key encryption schemes Eo, • • • , E^. 

Let Eo, . . . , Ed be public- key encryption schemes so that Ej implements encryption space Ej,. 
Assume ReEnc^ is a reencryption from Ei to Ei+i with auxiliary information ij. 

Let C be a circuit with binary gates, each of which has a homomorphic or proto-homomorphic 
implementation in all of the spaces E^. Abusing terminology, we will call these gates homomorphic 
and proto-homomorphic gates, respectively. The proto-homomorphic depth of C is the largest 
number of proto-homomorphic gates on any directed path in any circuit in C. Without loss of 
generality (by adding some dummy gates), we will assume that the proto-homomorphic gates in 
C are layered, i.e. every path in every circuit has exactly the same number of proto-homomorphic 
gates. Let C° s d be the class of circuits of size cs and proto-homomorphic depth d. 

Homomorphic template T(Eo, . . . , E<j) for C° s d 

Key generation: Generate key pairs (PKi, SKj) uniformly at random for every i. Generate 
auxiliary key information Ii(SKi,PKi + i) uniformly at random for every i. The secret key is 
(SK , SK d ). The public key is (PK , PK d , I ,..., I d ^). 

Encryption and decryption are the same as in Eq using the key pair (PKq, SKq). 
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Homomorphic decryption is the same as in E^ using the secret key SK^. 

Homomorphic evaluation: Given a layered circuit C, replace every homomorphic gate + of C 
by its homomorphic implementation ©. At every proto-homomorphic layer i, replace the proto- 
homomorphic gates • by their proto-homomorphic implementations followed by ReEnc^. Add 
reencryption gates ReEnco to the input level. Perform the evaluations of the ciphertext, using 
auxiliary information Ii for ReEnCj. Output the resulting ciphertext. 

The following two statements capture the functionality and security properties of this scheme; 
we omit the easy proofs. 

Proposition 4.2. Suppose ReEnCj has key error at most k. Then T(Eq, . . . , E^) is a homomor- 
phic encryption scheme with setup error at most d ■ k. 

Claim 4.3. Suppose Eo is (so,Eo) -message indistinguishable and ReEnci is (sj — > Sj+i,£j — >■ 
secure for every i. Then T(Eo, ■ ■ ■ , E^) is (sd,£d)- m ^ssage indistinguishable. 

4.1 Constructing reencryption 

We now give a construction of a reencryption from the family of encryptions Kg (n) . Let K g (n) and 
Kg(n') be two instantiations of K with a different hardness parameter, specifically with n' > n. To 
simplify notation we will identify the two encryption schemes with their corresponding encryption 
spaces. 

Our construction of a reencryption from K g (n) to K ? (n') is based on Gentry's ingenious idea of 
homomorphically evaluating the decryption circuit of K„(n). The decryption circuit in our scheme 
is extremely simple as it only uses homomorphic additions. However, one important complication 
in our scheme is the possibility of encryption errors. While for a single encryption the likelihood of 
an error occurring is small, when we apply the encryption to all the coordinates of the "secret key" 
the error becomes substantial. Our choice of parameters for K„(-) is essential for controlling the 
error; it will allow us to tolerate a substantial amount of error provided we choose n' to be large 
enough in terms of n. 

We now describe the reencryption. Let y be the designated solution to the system (2), which 
specifies the decryption space of K 9 (n). Recall that yi = whenever i is outside the hidden subset S. 
The auxiliary key information I(SK, PK') consists of the encryptions z\ = Encp^-/(?/i), . . . ,z n = 
EncpK>(y n ), where all encryptions are performed independently. Each of these encryptions is a 
vector in F™ . The reencryption is given by 

ReEnc Zli ... A (c) = c±zi H h c n z n . 

Claim 4.4. ReEnc is a reencryption from K 9 (n) to K g (n 1+Q ) with auxiliary information I and 
key error ?i~ Q ( 1 ~ Q )/ 2 . 

Proof. Recall that Z{ has the form M'xi + y{L + e$, where ej is an error vector with error rate rj'. 
We will say the output of I{PK\ SK) is good if for all i € [n], all the entries of ei that fall inside 
the hidden subset S' are zero. By a union bound, the probability that I{PK' , SK) is not good is 
at most 

Tj's'n = „-(!+<*)( W4) . „(l+a)(«/4) . „ = „-«(l-a)/2_ 

We now show that if I(PK', SK) is good then ReEnc/(c) G EncpK'(m) for every c € DecsKim)- 
Recall that EncpK>(m) contains those ciphertexts that take value M' s ,x + ml inside S' (for some 
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x) and can take arbitrary value outside S' . Since / is good, we know that the projection of Zi onto 
S' has the form M' s ,Xi + yjl. Therefore the projection of ReEnc/(c) to S' has the form 

Ci(M' s ,Xi + i/il) = M^x + (c T ?/)l = Af£,z + ml 

* — *%=\ 

where x = ^ CjXj. □ 

The following security claim can be derived by a hybrid argument. 

Claim 4.5. If ~K q (n') is (s, e') -message indistinguishable then ReEnc is (s — > s — poly(n),e — > 
e + ne')-secure. 

Assume K 9 (n) is (s, e(n))-message indistinguishable for every n, where e(n) is nonincreas- 
ing. Instantiating the template T(Eo, • • • , E^) with the encryption schemes Ej = K 9 (n' 1+a ''), 
we obtain a family of homomorphic encryption schemes BASIC (n) for circuits C : F™ — > ¥ q 
with addition, scalar multiplication, and binary multiplication gates of size cs and multiplication 
depth d with key length and encryption length 0{n^ 1+a ^ ) and setup error dn~ a ^~ a ^ 2 that are 
(s - d • poly(n), 0(n( 1+Q ) d_1 e(n))) -message indistinguishable. 

5 Optimizing reencryption 

We now describe two transformations to reencryption. The purpose of the first transformation is to 
eliminate the blowup in the security parameter in Claim 4.4. The second one is a generic technique 
for reducing the key error. 

5.1 Improving the key length 

Let us revisit the homomorphic scheme BASIC from the previous section. For convenience we will 
introduce a change of parameters. After performing d layers of homomorphic multiplication, the 

length of the ciphertext went from no to n = n^ +a ^ . We will describe a reencryption from K. q (n) 
to K c/ (n). 

What we would like to do is use the transformation from Claim 4.4, but without increasing the 
length n. As we noted, this is difficult to do owing to the large amount of encryption error that 
accumulates into the auxiliary key information. Now let us attempt to reduce the reencryption 
length by moving from K. q (n) to K g (no)- This appears even less reasonable, as K g (no) has even 
greater encryption error than K g (n). But one advantage of working with K 9 (no) is that the 
scheme BASIC already allows us to do homomorphic evaluation over its ciphertexts. Our idea is 
to apply BASIC to a "correction circuit" CORR whose purpose is to eliminate the encryption 
errors introduced when encrypting the secret key information about K g (n) using K ? (no). 

To carry out this idea, we have to be somewhat careful about the design of CORR. Here, the 
value of the parameter a will play an important role. If CORR is too deep the security suffers, as 
it is dictated by no, while the encryption length is n > «o- F° r a careful choice of the parameters, 
we can ensure that CORR has constant depth, which will enable us to produce length-preserving 
reencryptions of size n with security parameter polynomial in n. 

We will assume that q is a power of two. Let d be an even constant (we later set it to 8). Let 
(PK,SK) and (PK' , SK') be two admissible key pairs for K 9 (n). 
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Reencryption. We generate the auxiliary key information as follows. First, sample a sequence of 
independent key pairs (PKq, SKq), . . . , (PK d _i, SK^-i), where (PK, SK) comes from Gen(n|, 1+a ' ] 
Let y € F™ specify the decryption space of K 9 (n). The auxiliary information is generated as follows. 
Let 7 be a generator for the field extension ¥ q over F2. 

1. Encrypt: For each coordinate m of y, expand as m = yio + jyn + . . . + 7 log<5l_1 yiiog<j-i with 
yij 6 {0,1}. For every create 2 d independent ciphertexts cf- = Encpjc (yij), where k 
ranges from 1 to 2 d . 

2. Correct: For every calculate Zij = Eval (CO-Ri?, cjj, . . . , cf • ), where Eval is the evalua- 
tion algorithm for BASIC when the key generation algorithm is instantiated with the keys 
(PKq, SKq), . . . , (PK d -i, SK d ^), (PK' , SK'), and CORR: {0, l} 2 " -»■ {0,1} is the circuit 
described below. 

3. Output: Let Zi = ZiQ + 72^1 + ... + 7 log ' 3 ~ 1 .Ziiog<j-i- Output the vector I(SK, PK') = 
(z x , . . .,z n ). 

As before, the reencryption procedure is ReEnc 2li ... j2ji (c) = c\Z\ + • • • + c n z n . 

We now describe the correction circuit. The purpose of this circuit is to eliminate the errors 
accumulated in the encryption, which suggests using majority. However we also need to have fine 
control over the depth of the circuit. Since the errors of various encryptions are independent, it is 
natural to use a recursive majority-type construction in order to correct the error from one layer 
to the next. For our analysis, it will be convenient to make CORR be a full binary tree of depth 
d where d is even and all the gates are of the type G(x,y) = 1 — xy. When restricted over {0, 1} 
inputs, this is a NAND tree. 

Proposition 5.1. For a < 1/4 and d = 8, ReEnc is a reencryption from K. q (n) to K g (n) with 
auxiliary key information I and key error O(n~ ' 5 ). 

Proof. With probability dri _a( - 1_a ) //2 over the choice of keys, we know that the circuit Eval makes 
no mistake on its input. Let us assume this is the case. 

We will show that with probability 1 — O(n~ ' 5 ), Zij € Encpx'iyij) for every pair (i,j). By the 
homomorphic property of additions and scalar multiplications, it follows that Zi € Encpx'(yi) for 
all i. The correctness of reencryption then follows by the same argument as in Claim 4.4. 

We fix i and j and for notational convenience we write y = y^, z = z%j, c k = c\y Let y k 
denote the unique value in ¥ q such that T)ecsK {c k ) = y k ■ Since the encryption of the yijs was 
performed at error rate 770, it follows that independently for each y, y k = y with probability 1 — 770, 
and otherwise y k could be an arbitrary element in ¥ q . 

Let us start with the special case d = 2. We will argue that the Pr[z Encpx'(y)] < 6^. This 
follows from the design of the circuit CORR. If CORR is given four inputs, three of which have 
the same value or 1, its output will also have the same value. Therefore the event z Encpx'iy) 
can only happen if y k ^ y for at least two values of k, which happens with probability at most 6t]q. 

By induction on (even values of) d, it follows that in general the event z £ Encpx'iy) can 
happen with probability at most Q 2d)2 ~ l rj^ /2 . We now take a union bound over all pairs i and j 



and conclude that the reencryption is correct with probability at least n(logg)(6r/o) 2d/2 . 

( 

Now recall that log q <n and n = n Q , which gives an error of 

n 2(1+Q) (6nn) 2d/2 - < b - 0(n- 3m ) - O(n~ - 5 ) 

n - (1 _ a/4) 2d/2_2(i +Q )d ^ (15/16).2<»/a-2.(5/4)d ~ U[ ' ~ U[ ] 
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for d = 8. 



□ 



The following claim follows by a standard hybrid argument and we omit the proof. 

Claim 5.2. Fix a < 1/4 and d = 8 and assume ~K q (n) is (s(n) , e(n)) -message indistinguishable for 
every n, where e(n) is nonincreasing. Then for every eq, ReEnc is (s(n) — > s(n ' 1 ) — poly(n), eq — > 
Eq + 0(n L8 • e(n - 1 )) -secure. 



5.2 Reducing the key error 

The final optimization we perform concerns the key error of reencryption. The key error of the 
reencryption ReEnc from the previous section cannot be reduced beyond 1/n. In the homomorphic 
template in Section 4, the setup error increases linearly with the number of reencryptions, so we 
cannot apply this scheme to circuits of depth larger than n. We now introduce a generic technique 
for reducing this error. 

Suppose we are given a reencryption ReEnc with key error k < 1/32. If we apply ReEnc k 
times in parallel to the same ciphertext but using independent instantiations of the auxiliary key 
information, by large deviation bounds we can expect that with probability 1 — 2~ n ( k \ a significant 
majority — say a 15/16 fraction — of the reencryptions will be correct. However, reapplying reen- 
cryption over and over again will quickly yield overwhelming error. This calls for a boosting tool of 
the following kind: Given k ciphertexts out of which, say, 15/16 represent the same value, output 
k ciphertexts out of which a larger majority, say 31/32, now represent that value. We implement 
this functionality in a circuit that we call Boost. For later convenience we reencrypt the outputs 
of Boost. 

Definition 5.3. Let E and E' be two encryption spaces over the same message set and (PK, SK), 
(PK', SK') be a pair of admissible keys from the respective spaces. A booster of length k from 
E to E' with auxiliary key information I(SK, PK') and key error k is a circuit Boost with the 
following property. For every message m 6 {0, 1} and ciphertexts ci, . . . , out of which at least 
15fe/16 belong to DecsK(m), ^ oos ^i(sk,pk')( c i^ ■ ■ ■ > c fc) outputs ciphertexts c[, . . . , c' k out of which 
at least 31&/32 belong to EncpK'im). 

We emphasize that we only require the definition holds for messages m £ {0, 1}, and not arbi- 
trary messages in ¥ q . The security definition for boosters is identical to the one for reencryptions. 

Our construction of boosters is based on von Neumann's idea of robust evaluation of circuits 
with faulty gates [vN56]. Let G be a bipartite expander graph with k vertices on each side. The 
circuit Boost will apply G to its inputs and perform a homomorphic majority at each output. 
Computing each of these homomorphic majorities may require some reencryptions. The auxiliary 
key information in each of these reencryptions will be independent, ensuring that with very high 
probability few errors will be introduced in the reencryption. 



The construction Assume E is an encryption scheme equipped with ©, and reencryption 
ReEnc over ciphertexts of length n. Let G be an (n, b, A = 1/32) spectral expander [HLW06] for a 
sufficiently large constant b, and let APXMAJ^ : ¥ b — > ¥ q be a circuit of depth that depends only 
on b (not on q) so that 

APXMAJ ( JO, if at least 76/8 of the inputs are 0, 

I 1, if at least 76/8 of the inputs are 1. 
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In Appendix B we show the existence of such a circuit of size 0(b 2 ) and depth b' = 0(log b). 

Auxiliary key information I(SK,PK ! ): Repeat the following independently V times, once for 
every output j of Boost: First, generate a sequence of keys (PK^ , SKf), . . . , (PK%,_ V SKh_^) and 
set SK = SKq,PK' = PKy. Output I'(SKj , PKj +1 ) for every i and j, where /' is the auxiliary 
key information for ReEnc. 

The circuit Boost: Suppose that output j of G is connected to inputs ji, . . . For every output 
j, apply the homomorphic evaluation to the circuit APXMAJf, on inputs Cj 1 , . . . , Cj b as described 
in Section 4, but using the auxiliary key information with superscript j, and with an extra round 
of reencryptions at the output. 

Proposition 5.4. Assume ReEnc is a reencryption whose key error k is a sufficiently small 
absolute constant (independent of n). Then Boost is a booster with key error 2~™ k ' . 

Proof. By Proposition 4.2, each of the homomorphic majority circuits has setup error at most 
0{n\ogb). Since these setup errors are independent, by Chernoff bounds the chances that more 
than fe/64 is at most 2~^ k \ Let us assume this is not the case. 

Now let B be the set of inputs of G whose value is different from m € {0, 1}. By assumption, 
\B\ < k/16. Let S be the set of outputs of G that connect to more than 6/8 inputs inside 
B. Then there are at least | SI 6/8 edges between S and B. By the expander mixing lemma, 
\S\/8k < \S\/Wk + \y/\S\/16k, from where \S\ < I6\ 2 k < fe/64 by our choice of A. 

It follows that at most fc/64 + fc/64 = fe/32 outputs of Boost will decrypt incorrectly with 
probability at most 1 - 2~ n ^ . □ 

We now state the security of this construction. 

Claim 5.5. //ReEnc is (s — > s',eq — > £o + e) -secure, then Boost is (s — >■ s' — k ■ poly(n),eo —> 
£o + 0(ke))- secure. 

6 The scheme HOM 

To obtain our scheme HOM, we will apply the homomorphic template of Section 4 to A; parallel 
copies of the base scheme K„(n), using the booster from Section 5.2 to perform reencryptions. Let 
n denote the security parameter. 

Let Kg(n) denote the following scheme over message set ¥ q and ciphertext set ¥ kn . The key 
generation algorithm is the same as in K g (n). To encrypt a message m, we output k independent 
encryptions of m in K 9 (n). To decrypt a ciphertext c\ . . . c^, we apply the decryption of K 9 (n) on 
each Cj and output the most frequent answer. 

Let K = (Keys, Enc, Dec) denote the encryption space for K 9 (n) from Section 3. We now 
define an encryption space K k = (Keys, Enc k , Dec k ) for K!(n). We let Encp K (m) consists of those 
ciphertexts c\ . . . c& for which q € EncpK{m) for at least 31A;/32 values of i. We let Dec k SK (m) 
consists of those ciphertexts c\ . . .ct for which q G Decsxi'm) for at least 15&/16 values of i. 

It is easy to see that if K is an encryption space for K ? (n) with encryption error 1/64, then 
K k is an encryption space for K^(n) with encryption error 2~^( k \ The error follows from a large 
deviation bound. 

It is also easy to see that pointwise addition © and pointwise multiplication are proto- 
homomorphic over message set {0, 1} with respect to K k . Notice that although © was homomorphic 
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for K, it is merely proto-homomorphic for K , owing to the possibility of erroneous encryptions in 



Finally, notice that the booster Boost from Section 5.2 (instantiated with the length-preserving 
reencryption ReEnc from Section 5.1) is a reencryption for K k . Now define 



where T is the homomorphic template from Section 4. The following two claims prove Theorem 2.3. 
Claim 6.1. The scheme HOM is a homomorphic encryption scheme for C cs ^ with key length 



This claim follows directly froms Proposition 4.2 and Proposition 5.4. 

Claim 6.2. Assume K 9 (n) (with a < 1/4J is (s(n),e(n)) -message indistinguishable, where s(n) 
and l/e(n) are nondecreasing. Then HOM is (s(n 0,1 ) — dk ■ poly(n),0(dkn 1 ' s e(n°' 1 )))-message 
indistinguishable. 

This claim follows by combining Claims 4.3, 5.2, and 5.5. 

7 Conclusion 

In this work we propose a new public-key encryption system that is inspired by the conjectured 
hardness of decoding noisy codewords from certain affine codes with a planted trapdoor. We argue 
the security of this system and give a construction of a secure homomorphic encryption scheme 
based on it. 

To evaluate a circuit of depth d, our scheme requires keys of size 0((dlogd)n), where n is the 
security parameter. It would be good if this dependence of d in the key length was eliminated. One 
important tool in our analysis is the length-preserving reencryption circuit from Section 4. There 
we proved that reencryption is secure provided it is used on independent key pairs. It is tempting 
to instantiate this construction over the same key pair, in the spirit of "circular security" prevalent 
in other works on homomorphic encryption. This would indeed eliminate the dependence on d (and 
also obviate the need for reducing the key error). 

While we do not know if the suggested circular security assumption is valid or not, we are 
uncomfortable conjecturing it for the following reason. In the auxiliary key information, every one 
of the n elements yi of the "secret key vector" y is encoded by a ciphertext Cj of length n, so that 
all the ciphertexts decode without error. In view of the simplicity of our decryptions, we feel that 
if such a property holds at all, it should be achievable by direct construction (possibly using other 
reasonable security assumptions) rather than the somewhat complex mechanism of Section 4. We 
were not able to come up with such a direct construction without suffering a security flaw. 

Our initial motivation for this research was to better understand the complexity required for 
homomorphic encryption. Owing to the simplicity of its encryption, the scheme of Applebaum et 
al. was a natural starting point for this study. Many of the techniques developed here can be 
applied to that scheme. However, we were unable to design a secure length-preserving reencryption 
for that scheme. In short, the reason is that the system of equations analogous to (2) for that 
scheme does not enjoy a sufficient amount of redundancy, which severely limits the choice of a. 

We recently learned of an independent attempt by Armknecht et al. [AAPS11] to construct 
a code-based homomorphic encryption scheme. Their scheme achieves only some rudimentary 



Enc k . 



HOM = T(K*(n), . . . , K*(n)) with reencryption Boost 
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homomorphic properties and is not public-key. However it appears some of their ideas (for example, 
the use of pointwise operations on ciphertexts) are related to ours and it would be interesting to 
see if they can be applied towards future improvements. 
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A The ranks of submatrices of the public key 

We prove the following proposition, which points to the limitation of an attack on the public key 
of M described in the introduction. 

Proposition A.l. Let T C [n], \T\ = t be an arbitrary subset of rows of the rxn public key matrix 
P such that \TnS\ < s/3 + max{i — r, 0}. Then the submatrix Pt of P spanned by the rows indexed 
by T has full rank with probability at least 1 — 0(r 2 /q), where the randomness is taken over the 
choice of a±, . . . ,a n in the key generation algorithm. 

Proof. We prove the theorem for the matrix M instead of P. Since P and M have the same column 
space and the rank of Pt is a property of the column space of P projected to the coordinates in T, 
the statement will follow. 

Without loss of generality we may assume that Mt is a square matrix: If t < r we can augment 
the Mt by rows from outside S, and if t > r, we can eliminate rows from Mt that come from S 
(and some extra ones if necessary). Both operations preserve rank deficiency. 

Now suppose Mt is a square matrix so that at most s/3 of its rows come from S. Let us assume, 
again without loss of generality, that T = {1, . . . , r} and S = {1, . . . , so}, so < -5/3. We now argue 
that with probability 1 — 0{r 2 /q), the determinant det(-Mr) is nonzero. 

Notice that det(Mr) is a formal polynomial in the variables a\, . .. ,a r of degree at most 1 + 
2 + • • • + r = r(r + l)/2. In our setup, the diagonal term a\a\ . . . oT r appears uniquely in the 
sum-product expansion of the determinant, and so this formal polynomial is nonzero. By the 
Schwarz-Zippel lemma, if oi, . . . ,a r were chosen independently at random from ¥ q , det(Mr) would 
be zero with probability at most l — r(r + l)/2q. Our at are not independent since they are required 
to be distinct, but the statistical distance between r uniformly independent elements of ¥ q and r 
uniform but distinct elements of ¥ q is only 0(r 2 /q). It follows that det(My) ^ with probability 
1 - 0(r 2 /q). □ 

B Approximate 0, 1-majorities over arbitrary fields 

In this section we prove the following claim. 

Proposition B.l. Let q be the power of a prime. There exists a circuit APXM AJ m : ¥ q n — > ¥ q 
of size 0(m 2 ) and depth O(logm) with the property (3). 

The challenge is to make the depth of the circuit independent of q. We show an easy construction 
based on a trick of Valiant [Val84] . 

Proof. Let CORRd be the correction circuit from Section 5.1 where d = 21ogm + 4. We will show 
that there exists a way to connect the m inputs to the 2 d inputs of CORRd hi a wa Y that the 
resulting circuit computes APXMAJ m . 

Fix a specific input x so that at least 7/8 of its elements equal b. If each of the inputs to 
CORRd is randomly wired to one of the elements in x, then the inputs to CORRd will take value 
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b independently with probability at least 7/8 each. Recall that for b S {0, 1}, if each of the inputs 
to this circuit takes value b with probability 7/8, then its output takes value b with probability 
1 - (3/4) 2 ' > 1 - 2" m by our choice of d. Taking a union bound over all such inputs x, we 
conclude that there must exist a wiring with the desired property. □ 
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